Study: Open source poses security risks

ZDNet ^ | May 31, 2002, 9:30 AM PT | Matthew Broersma

[Bush2000]

A conservative U.S. think tank suggests in an upcoming report that open-source software is inherently less secure than proprietary software, and warns governments against relying on it for national security.

The white paper, Opening the Open Source Debate, from the Alexis de Tocqueville Institution (ADTI) will suggest that open source opens the gates to hackers and terrorists.

"Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to 'open source' as some groups propose," ADTI said in a statement released ahead of the report.

Open-source software is freely available for distribution and modification, as long as the modified software is itself available under open-source terms. The Linux operating system is the best-known example of open source, having become popular in the Web server market because of its stability and low cost.

Many researchers have also suggested that since a large community contributes to and scrutinizes open-source code, security holes are less likely to occur than in proprietary software, and can be caught and fixed more quickly.

The ADTI white paper, to be released next week, will take the opposite line, outlining "how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems," the institute said.

"Computer systems are the backbone to U.S. national security," said ADTI Chairman Gregory Fossedal. "Before the Pentagon and other federal agencies make uninformed decisions to alter the very foundation of computer security, they should study the potential consequences carefully."

[Crispy]

"MS Windows source code is available under license. This is not surprising since the DoD, NSA, and other similar agencies require access to source code. Have a nice day."

Okay... But you can freely download open source off the net without signing some stupid license agreement and probably in the case of Microsoft, forking over a chunk of change. Thus, more people look at Open source code than Microsoft code. Have a nice day yourself.

[Crispy]

"There are people out there who believe that open source security will save their asses. That's an awfully big check to write..."

There are people out there who believe that Microsoft security will save their asses. That's a friggin huge check to write..."

[Bush2000]

Okay... But you can freely download open source off the net without signing some stupid license agreement and probably in the case of Microsoft, forking over a chunk of change.

The original issue was availability of source code to government agencies such as the FBI, DOD, CIA, etc, not a bunch of teen hackers. MS has met that burden.

[Bush2000]

There are people out there who believe that Microsoft security will save their asses. That's a friggin huge check to write..."

Which is a good caveat: Nobody should take security for granted on any platform.

[rdb3]

"Cyberterrorism" is on overplayed threat, imo. Fortunately our enemies tend to be primitivists with little education or love for technology. The possibility of these yoyos mounting a orchestrated attack of a magnitude to do serious damage to national security is probably pretty remote.

On one hand, I agree with your assertion that the chances of this happening is remote due to their lack of sophistication in using technology. But on the other hand, let's not forget that some Muslims like bin Laden are men of means. In other words, what's preventing him from hiring European hackers who are anti-American and paying them untold amounts of money?

Money talks; BS runs a marathon.

[bobwoodard]

The biggest issue with open source is the erratic configuration management. It ranges from outstanding to abysmal, and since CM is a joint effort between the development team and the end user, it has LOTS of opportunity to break down.

Based on various security notices, that seems to be a widespread problem, regardless of source type.

[bobwoodard]

Now that the paper has been posted, what's your take?

[bobwoodard]

That's the point, bob: Until the paper is released, none of the ABM *nix trolls should be making accusations; otherwise, they're a bunch of slanderous, lying, sacks of sh*t.

How so? Just because an accusation is made before the paper is published doesn't make it slanderous. Sure, it might turn out that way, but who's to know? As I said before, AdTI seems to have a certain mindset, when it comes to the papers they present.

No, bob. Wrong. If you want to state your opinion, fine. But if you want to assert that opinion as fact, uh uh. No way. Nonsense. Evidence is based on fact. If you don't have evidence, don't bother unless you want to be labeled an idiot.

What are you getting at? Notice the wording in my original post, there is a careful use of 'seem' in my statement. Are you looking for things in my post that aren't there?

But asserting one as "superior" is a religious issue.

That's why it'll be interesting to see where the paper goes.

[bobwoodard]

Updated link to the AdTI paper: here

[bobwoodard]

The problem was that somebody discovered the key. It's like you left the key to your front door in the lock. That's not breaking the encryption.

True, the Xing key was unencrypted, but the other 169 had to be broken (although I'm sure that was a great deal easier, after first one was known).

[Bush2000]

How so? Just because an accusation is made before the paper is published doesn't make it slanderous

You will notice, bob, that it is customary to speak in terms of the "alleged offense" or the "suspect" when making unsubstantiated accusations. The presumption of innocence is a component of our legal system and, frankly, there is a fine line between opinion and slander/libel.

[Bush2000]

Now that the paper has been posted, what's your take?

All OS platforms have security risks. Open source is no guarantee of quality.

[bobwoodard]

All OS platforms have security risks. Open source is no guarantee of quality.

Very true, but their whole take about how Open Source will hurt the IT industry reminds me of Chicken Little. They spend almost the entire paper on one type of license and brush the prospect of alternative licensing away in a single paragraph. A more proper title would have been: "Opening the Open Source Debate - A Critique of the GPL License"

Here's another take on the paper, which points out some inaccuracies and misunderstandings in the AdTI paper.

[Bush2000]

Very true, but their whole take about how Open Source will hurt the IT industry reminds me of Chicken Little. They spend almost the entire paper on one type of license and brush the prospect of alternative licensing away in a single paragraph. A more proper title would have been:

True, but as cited by the article, the GPL constitutes the vast majority of open source licenses. It therefore makes sense to focus more heavily on the licenses that are most pertinent to open source. By the way, I do agree the truly open licenses like those of BSD are the way to go, not viral IP licenses like GPL.

[Bush2000]

The existence of Code Red and Nimda doesn't negate the truth my statement: All OS platforms have security issues. Focusing on one or two does little to address the fundamental underlying issue.

[bobwoodard]

Here is another interesting analysis of the AdTI paper. This one focuses on the differences between the retracted and final versions of the paper.